Add files for enforced DNS

3 years ago · fabbcd7fb5
--- a/anbox_files/dns_enforced/README.md
+++ b/anbox_files/dns_enforced/README.md
@ -0,0 +1,9 @@
 ## Installation

 `anbox-restart.sh` -> `/usr/local/bin/anbox-restart` and `chmod +x $(which anbox-restart)`

 `anbox-exec` -> `/usr/local/bin/anbox-exec` and `chmod +x $(which anbox-exec)`

 `anbox-session-manager` -> `/usr/local/bin/anbox-session-manager` and `chmod +x $(which anbox-session-manager)`

 `local-iptables` -> apply rules to your iptables, or allow DNS for `anbox0` interface by other means
--- a/anbox_files/dns_enforced/anbox-exec.sh
+++ b/anbox_files/dns_enforced/anbox-exec.sh
@ -0,0 +1,29 @@
 #!/bin/sh

 DNS_LOCAL="192.168.250.1.53"

 if [ "$(id -u)" -ne 0 ]; then
    echo "ERROR: You need to run this script as root!"
    exit 1
 fi

 CONTAINER_PATH="$SNAP_COMMON/containers"
 CONTAINER_NAME=default

 if [ -z "$SNAP" ] ; then
    CONTAINER_PATH=/var/lib/anbox/containers
 fi

 state=$(lxc-info -P "$CONTAINER_PATH" -n "$CONTAINER_NAME" -s | cut -d':' -f 2 | tr -d '[:space:]')
 if [ "$state" != "RUNNING" ] ; then
    echo "ERROR: Cannot attach to container as it is not running"
    exit 1
 fi

 exec lxc-attach \
    -P "$CONTAINER_PATH" \
    -n "$CONTAINER_NAME" \
    --clear-env -- \
 /system/bin/sh -c \
 "/system/bin/iptables -t nat -A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -j DNAT --to-destination ${DNS_LOCAL}
 /system/bin/iptables -t nat -A OUTPUT -o eth0 -p udp -m udp --dport 53 -j DNAT --to-destination ${DNS_LOCAL}"
--- a/anbox_files/dns_enforced/anbox-restart.sh
+++ b/anbox_files/dns_enforced/anbox-restart.sh
@ -0,0 +1,7 @@
 #!/bin/env bash

 sudo systemctl restart anbox-container-manager.service
 sleep 2
 systemctl --user restart anbox-session-manager
 sleep 2
 sudo anbox-exec
--- a/anbox_files/dns_enforced/anbox-session-manager
+++ b/anbox_files/dns_enforced/anbox-session-manager
@ -0,0 +1,13 @@
 #!/bin/env bash

 # This is a simple wrapper workaround. If we launch Anbox session manager before a desktop/Xorg session,
 # the session simply fails to launch, complaining about insufficient drm permissions (permission denied 13)
 # in a Xorg log file.

 # Use this script as start-up program in your desktop session start-up application menu. It ensures that
 # Xorg session starts BEFORE Anbox session manager, and both succeed to launch.

 if [[ $(systemctl is-active anbox-container-manager.service) ]]; then
  systemctl --user start anbox-session-manager
  anbox-exec
 fi
--- a/anbox_files/dns_enforced/local-iptables
+++ b/anbox_files/dns_enforced/local-iptables
@ -0,0 +1,4 @@
 # These rules apply to a local DNS server, running on the same computer than Anbox

 -A INPUT -i anbox0 -p tcp --dport 53 -j ACCEPT
 -A INPUT -i anbox0 -p udp --dport 53 -j ACCEPT